CISOs need to work out some processes and quickly
The European Court’s (EU) recent ruling that Google must erase search results at the request of people is only the tip if the iceberg. It has spawned a host of issues surrounding ‘the right to be forgotten’ as part of the Data Protection Directive 1995, a plan that intends to give ordinary individuals full control of their personal data in the digital world.
This ruling doesn’t impact search engines like Google alone, which has since received 40,000 requests (and counting) from people to remove their data. Long term, it will affect almost every organisation, which now face significant policy and technology-related enforcement challenges. The regulation can be leveraged by any individual who is a citizen of the EU.
Given that data protection falls under the remit of the CISO, our security experts must begin to get to grips with the implications of this ruling. They must, in consultation with their organisation, determine the ways to ascertain the legitimacy of such requests, as well as determine processes to ensure that the regulation is complied with fully. They need to establish a framework that outlines who in the organisation decides that a particular request warrants the information to be deleted, i.e. that the individual’s need for privacy is greater that the organisation’s right to access it, what investigative process must be followed to arrive at that conclusion, and if the decision is not in the favour of the individual who handles the appeals/complaints.
From a technical standpoint, the biggest challenge CISOs face is eliminating unauthorised duplication of data. To fully implement the ruling, every copy of the information/data in question must be removed across the entire corporate network; PCs, internal and external servers, backup, local disks and disaster recovery mechanisms, not to mention USB sticks, smartphones and tablets that employees use.
Despite best efforts, it is impossible to locate all the copies (full or partial) of a particular piece of data and be sure that the information has indeed been eliminated from the company records. An employee may have retained a hard copy of that information or someone may have an unauthorised screen grab of the information on their personal device. Furthermore, organisations often share corporate information as part of larger shared networks across jurisdictions. While the information will be subject to removal in the EU, it could very easily be available in another part of the company in another country. Similarly, enterprises’ cloud servers are often located in the outside the EU.
In addition, there are existing rules about dealing with data retention so implementing a ‘right to forget/erasure’ request must be enforced in compliance with both sets of rules.
All these complexities will compromise the effectiveness of the ruling, and will likely increase the risk of non-compliance for organisations and potentially put CISOs under even more pressure. Presently there is no precedence of a right or wrong approach to organisations executing such requests so as yet we can only guess as to the repercussions of failed executions of such requests.
Frankly, the ruling is ambiguous in its guidance on implementation. The EU needs to do a lot more in clarifying to organisations and individuals alike how this regulation will work. The intent of the ruling may be honourable but its technical implementation is ill thought through. The risk of ‘whitewash’ is significant and it will prove costly and distracting for businesses unless these issues are ironed out.
Yves Le Roux, member of (ISC)² European Advisory Board